Esc

Domain Account - T1087.002

(ATT&CK® Technique)

Definition

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1087002["Domain Account"] --> |enumerates| DomainUserAccount["Domain User Account"]; class T1087002 OffensiveTechniqueNode;
        class DomainUserAccount ArtifactNode; click DomainUserAccount href "../../../dao/artifact/d3f:DomainUserAccount";
        click T1087002 href "../../../offensive-technique/attack/T1087.002/"; click DomainUserAccount href "../../../dao/artifact/d3f:DomainUserAccount";             DomainAccountMonitoring["Domain Account Monitoring"] -->
          | monitors | DomainUserAccount["Domain User Account"];

          DomainAccountMonitoring["Domain Account Monitoring"] -.->
            | may-detect | T1087002["Domain Account"] ;
          class DomainAccountMonitoring DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click DomainAccountMonitoring href "../../../technique/d3f:DomainAccountMonitoring"; AccountLocking["Account Locking"] -->
          | disables | DomainUserAccount["Domain User Account"];

          AccountLocking["Account Locking"] -.->
            | may-evict | T1087002["Domain Account"] ;
          class AccountLocking DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click AccountLocking href "../../../technique/d3f:AccountLocking";                           UnlockAccount["Unlock Account"] -->
          | restores | DomainUserAccount["Domain User Account"];

          UnlockAccount["Unlock Account"] -.->
            | may-restore | T1087002["Domain Account"] ;
          class UnlockAccount DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click UnlockAccount href "../../../technique/d3f:UnlockAccount"; ChangeDefaultPassword["Change Default Password"] -->
          | strengthens | DomainUserAccount["Domain User Account"];

          ChangeDefaultPassword["Change Default Password"] -.->
            | may-harden | T1087002["Domain Account"] ;
          class ChangeDefaultPassword DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click ChangeDefaultPassword href "../../../technique/d3f:ChangeDefaultPassword"; AgentAuthentication["Agent Authentication"] -->
          | strengthens | DomainUserAccount["Domain User Account"];

          AgentAuthentication["Agent Authentication"] -.->
            | may-harden | T1087002["Domain Account"] ;
          class AgentAuthentication DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click AgentAuthentication href "../../../technique/d3f:AgentAuthentication";                                   RestoreUserAccountAccess["Restore User Account Access"] -->
          | restores | DomainUserAccount["Domain User Account"];

          RestoreUserAccountAccess["Restore User Account Access"] -.->
            | may-restore | T1087002["Domain Account"] ;
          class RestoreUserAccountAccess DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click RestoreUserAccountAccess href "../../../technique/d3f:RestoreUserAccountAccess";                           UserAccountPermissions["User Account Permissions"] -->
          | restricts | DomainUserAccount["Domain User Account"];

          UserAccountPermissions["User Account Permissions"] -.->
            | may-isolate | T1087002["Domain Account"] ;
          class UserAccountPermissions DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click UserAccountPermissions href "../../../technique/d3f:UserAccountPermissions";

json